If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Worm_redist.e

I have just found this on FOUR computers on my Network!

WORM_REDIST.E is a non-destructive worm that spreads via email using Microsoft Outlook, and via peer-to-peer (P2P) file-sharing networks. It also has password-stealing capabilities. It runs on Windows 95, 98, ME, NT, 2000, and XP.

Ircskins.skn
Msgsf32.exe
Msipxc32.exe
Scrset32.scr
Winscz32.exe
Winsetr32.exe
It drops the following copies of itself into the Windows system folder:

Icmpmgr32.exe
Lnkscrc32.scr
Msgmain32.exe
Msgsvc32.pif
Msrun32.exe
Svcmsg32.pif
Winlnkf32.pif
It drops the following copy into the Startup folder:

Startw32.pif
The worm creates registry entries that allow its dropped copy, WINSCZ32.EXE, to execute at every Windows startup.

This worm propagates by sending a copy of itself to all email addresses found in the infected users' address book. It uses Microsoft Outlook (MAPI) to send email with varying details. A sample of the email it sends, are as follows:

Subject: A new screensaver
Message Body: Take a look at this new screensaver in the attachments that I downloaded from the internet a while ago. If you like it, try setting it as your system screensaver Cya!
Attachment: 3DFish.scr

Subject: Your file
Message Body: Here is that file that you asked for (in the attachments). Sorry that I sent it late, I had trouble finding it on the computer.
Attachment: Picture2.pif

This worm also attempts to propagate to other P2P and chat clients. To do so, it drops the following copies of itself:

\My Music
\My Documents\My Music
This worm also attempts to capture and send cached passwords to a remote malicious user. This function only applies on systems running Windows 95 and 98, since the API used is not available on NT-based systems. It appears that the information is being sent to the following email address: Zed_rRlf@hotmail.com